topic Re: Trying to create an exclusion for a process with a specific cmdlet (exploit) in Cortex XDR Discussions

Trying to create an exclusion for a process with a specific cmdlet (exploit)

RNance — Wed, 10 Feb 2021 14:38:40 GMT

For the past couple of days, we have received a low priority alert with the following params:

Source: XDR Agent

Category: Exploit

Action: Prevented (Blocked)

In researching the alert in the alert table, I have determined that the action is tied with a homegrown powershell cmdlet.

My conundrum is I want to create an exclusion for the specific powershell.exe Get-CustomCmdlet. However, since this is a support terminal server with numerous support users, I do not want to just give carte-blanche access to powershell. I haven't been able to figure out this specific scenario.

Re: Trying to create an exclusion for a process with a specific cmdlet (exploit)

gjenkins — Wed, 10 Feb 2021 16:00:53 GMT

Hi @RNance,

My recommendation would be to create an exception for this activity. The exception would only allow the custom script to get past only the referenced exploit protection rule while still applying other exploit protection rules as desired. You can create an exception for this exploit rule by right-clicking the alert, going to "manage alert," and then selecting "create alert exception."

This exception can be applied globally or to a specific profile that would only affect a set of devices, whichever is more appropriate for your environment. Given that your description only mentions one terminal server, I would recommend creating a unique exceptions profile and applying it only to that endpoint. Instructions on how to create an exceptions profile can be found here.

Re: Trying to create an exclusion for a process with a specific cmdlet (exploit)

RNance — Wed, 10 Feb 2021 18:34:16 GMT

Yes, however when creating an exception in that manner, all it really does (or at least says) is that will create a Generic alert based on the process name powershell.exe. However, I need it to go beyond just powershell.exe and to include the cmdlet. Essentially, I need to create an exception based more on the "Initiator Cmd" as opposed to just the "Initiated By". The way the exception is perceived is that you are providing an exception just to powershell.exe, which is too broad.

I was envisioning something akin to Malicious Child Process Protection where you can define a child process command line param. The difference here is that powershell is the parent process and there is no child process in this example. Thanks.

Re: Trying to create an exclusion for a process with a specific cmdlet (exploit)

gjenkins — Wed, 10 Feb 2021 18:42:50 GMT

Hi @RNance,

Creating an exception would prevent the rule from executing, allowing the PowerShell script to run. The alert, on the other hand, may well be generated in a generic format, which can be suppressed via exclusion. However, permitting the script to run is a use-case for the exploit rule exception. Furthermore, exploit protection exceptions do not support target scripts as a parameter at this moment in time. That would be a feature request at this point, which your account team should be able to report on.